Bumping version of httparty to ensure protection from CVE-2025-68696 (2nd approach) by michelgoldstein · Pull Request #100 · SiftScience/sift-ruby

michelgoldstein · 2026-02-13T01:16:35Z

Purpose

https://nvd.nist.gov/vuln/detail/CVE-2025-68696
In order to ensure that our clients will not accidentally pick a vulnerable version of httparty, we bump the minimum version of the library dependency to 0.23.3 (> 0.23.2 as defined in the CVE)

Part of the fix to the vulnerability was to prevent overriding the base URL. Unfortunately we use that feature in our code to point some APIs to api.siftscience.com and others to api3.siftscience.com. Therefore it required a little bit more work to define multiple instances with different base URLs instead of a single one.
This is different from the first approach to handle the ability to more directly modify the instance of HTTParty and change other parameters, like loggers. The initial approach would hide the underlying instances forcing us to control the exposed parameters (like timeout).

michelgoldstein added 9 commits February 9, 2026 16:54

Bumping version of httparty to ensure protection from CVE-2025-68696

af9cce5

Bump version

a164d44

Implement PR feedback

c2aff9f

Increase min Ruby version to 2.7.0

096a6cc

Refactor: Client and Router inherit from shared HTTParty config parent

b4b50e3

Merge branch 'master' into dynamic-client-resolution

a459660

New approach to client resolution

73c98d0

Add new unit test for configurations

f80a7dd

Minor fixes

acb74bc